Joseph Pastore - Pastore

Are RIAs Eligible for PPP?

Posted on May 4, 2020July 1, 2021 by Liam Mennitt

Is a Registered Investment Advisor (“RIA”) eligible to participate in the Payment Protection Program (the “PPP”) administered by the Small Business Administration (“SBA”)? The short answer is “yes.”

The PPP was promulgated as part of the recently enacted Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) which in part set aside hundreds of billions of dollars to help small businesses retain their employees during the COVID-19 crisis and the resultant work from home orders set forth by governors across the country.

Background

We understand that many RIAs applied for and were granted a loan under the CARES act, and that some of these RIAs may be unsure of whether they were granted the loan in error, how they may spend the loan funds or if they can spend the loan funds. The guidance below will hopefully answer some of these questions because applying for and receiving a PPP loan in a knowingly false fashion is a criminal offense, and we strongly encourage any RIA unsure of its PPP eligibility to seek particular legal advice.

The guidance below hinges on whether an RIA engages in speculative operations, holds any securities or other speculative assets, or is simply engaged in financial advisory services.

SBA Guidance

The SBA published an Interim Final Rule on April 2, 2020 (the “Interim Final Rule”). Specifically, the Interim Final Rule provides that “Businesses that are not eligible for PPP loans are identified in 13 CFR 120.110 and described further in SBA’s Standard Operating Procedure (SOP) 50 10, Subpart B, Chapter 2….” (the “SOP”).

Some of the ineligible financial markets and funds businesses listed in the SOP include, without limitation:

Banks;
Life insurance companies (but not independent agents);
Finance companies;
Investment companies;
Certain passive businesses owned by developers and landlords, which do not actively use or occupy the assets acquired or improved with the loan proceeds, and/or which are primarily engaged in owning or purchasing real estate and leasing it for any purpose; and
Speculative businesses that primarily “purchas[e] and hold[ ] an item until the market price increases” or “engag[e] in a risky business for the chance of an unusually large profit.”

On April 24, 2020, the SBA issued its Fourth Interim Final Rule on the PPP (the “Fourth Interim Final Rule”). The Fourth Interim Final Rule explicitly states that hedge funds and private equity firms are not eligible for a PPP loan.

Discussion

Ineligible Companies.

If the RIA is also a hedge fund or a private equity firm, then it may not be eligible to receive a PPP loan. If, however, the RIA is legally distanced from those entities through appropriate corporate structures, and the loan is only used for the RIA business, then the RIA should be eligible to receive the PPP funds.

Because most RIAs are not also banks or life insurance companies, the exclusions should not apply. However, as some RIAs also sell life insurance products, such individual situations may require more research.

Finance companies are also ineligible under the SBA guidelines to receive PPP funds. The SBA guidelines define a finance company as one “primarily engaged in the business of lending, such as banks, finance companies, and factors.” (Sec. 120.110(b) of the SBA’s Business Loans regulations). Thus, this exclusion should not apply. Similarly, an RIA may not be deemed an investment company, which is a company organized under the Investment Company Act of 1940, unless the RIA was in fact incorporated under that Act.

An RIA also may not meet the definition of a “speculative business” as defined above in the Interim Final Rule. If an RIA does not purchase or hold assets until the market price increases or engage in a risky business for the chance of an unusually large profit, then it will not meet this definition. Speculative businesses may also include: (i) wildcatting in oil, (ii) dealing in stocks, bonds, commodity futures, and other financial instruments, (iii) mining gold or silver in other than established fields, and (iv) building homes for future sale, (v) a shopping center developer, and (vi) research and development. (Sec 120.110(s) of the SBA’s Business Loans regulations, SBA Eligibility Questionnaire for Standard 7(a) Guaranty and SOP Subpart B D (Ineligible Businesses). It is our understanding that an RIA that merely provides portfolio management services would not be deemed to be involved in a “speculative” business based on the examples of such businesses provided by the SBA. If the SBA had taken the position that financial advisory services are speculative, it could easily have so indicated by including such services in its lists of speculative services.

Financial Advisory Services.

Consistent with this view, the SBA has provided clear guidance that financial advisory services are eligible for SBA loans, including loans under the PPP. In the SBA’s SOP, the SBA provides the following: “A business engaged in providing the services of a financial advisor on a fee basis is eligible provided they do not use loan proceeds to invest in their own portfolio of investments.” (SOP Sec III(A)(2)(b)(v) pp.104-105) (emphasis added).

This guidance is clear that the focus of ineligibility is at the portfolio company level, not the advisory level, and this is consistent with the guidance noted above making hedge funds and private equity firms ineligible. Hedge funds and private equity firms make money based upon speculative investments and/or appreciation of the markets. An investment advisor operates at the consulting or services level. In other words, the SBA has distinguished between true speculative operations such as wildcatting, speculative real estate development and investing in securities, and service-based operations such as the investment advisory business. Assuming that an eligible RIA did not use any proceeds of the PPP loan at any investment level, such RIA should not be deemed a speculative business and is eligible for a PPP loan.

SEC Guidance

SEC guidance affirms that RIAs are eligible for PPP loans. While the SEC imparts certain burdens on RIAs that accept PPP loans, the fact that the SEC even acknowledges such burdens should give most RIAs confidence that a PPP loan is available to them.

For RIAs who are eligible to receive PPP funds under the SBA guidance set forth above, the SEC instructs that they must comply with their fiduciary duty under federal law and make a full and fair disclosure to their clients of all material facts relating to the advisory relationship. The SEC further posits that “If the circumstances leading you to seek a PPP loan or other type of financial assistance constitute material facts relating to your advisory relationship with clients, it is the staff’s view that your firm should provide disclosure of, for example, the nature, amounts and effects of such assistance.” An example of a situation the SEC would require such disclosures would be an RIA requiring PPP funds to pay the salaries of RIA employees who are primarily responsible for performing advisory functions for clients of the RIA. In this case the SEC would require disclosure as this may materially affect the financial well-being of an RIA’s clients.

The SEC additionally provides that “if your firm is experiencing conditions that are reasonably likely to impair its ability to meet contractual commitments to its clients, you may be required to disclose this financial condition in response to Item 18 (Financial Information) of Part 2A of Form ADV (brochure), or as part of Part 2A, Appendix 1 of Form ADV (wrap fee program brochure). (SEC Division of Investment Management Coronavirus (COVID-19) Response FAQs).

Summary

While the Cares Act and PPP are recently enacted, and there is some confusion surrounding the eligibility requirements for the PPP, the SBA had a clear opportunity to deem financial advisors ineligible in the Interim Final Rule and Fourth Interim Final Rule, but specifically chose not to do so. Instead, the SBA followed the direction of its historical eligibility requirements, holding to ineligibility at the fund and portfolio company level, but continuing to permit loans to firms operating at the advisory level.

While it is possible that the SBA could interpret its own rules and regulations inconsistently with the specific guidance provided in the Interim Final Rule and Fourth Interim Final Rule, the weight of the evidence strongly suggests that an investment advisor is eligible for a PPP loan as long as it does not use the proceeds for fund or portfolio company purposes.

A Brief Summary of Portions of the New CARES Act and What It Could Offer in Financial Relief to Churches and Other Tax-Exempt Organizations

Posted on April 2, 2020July 13, 2021 by Liam Mennitt

It may be worth considering that many non-profits, including churches, might utilize provisions in the new Coronavirus Aid, Relief, and Economic Security Act or CARES Act (P.L. 116-136) to provide some economic relief. Potential applicants should review the new law in detail and discuss its requirements with their attorneys.

The new law sets aside about $349 billion for loans to various nonprofit organizations, including churches. The bridge period is from February 15, 2020 to June 30, 2020. It also includes a provision that can make the loans forgivable. Employers with up to 500 employees are eligible. Availability is first come, first served, so prompt application is recommended.

How the Loan May Be Used

Loan proceeds may be used for:

Payroll
Group health insurance, paid sick leave, medical and insurance premiums
Mortgage or rent payments
Utilities
Salary and wages
Vacation, parental leave, sick leave
Health benefits

Payroll includes:

Salary or wages, payments of a cash tip
Vacation, parental, family, medical, and sick leave
Health benefits
Retirement benefits
State and local taxes (excludes Federal Taxes)

Limited up to $100K annual salary or wages for each employee

The application to Pastoral housing allowances is presently unclear, so I suggest that this be included in payroll costs.

The lenders will likely include the organization’s current banker, as funding will be routed through the SBA. The term of the loan is two years (unless forgiven) and it has a .5% interest rate.

Maximum loan amount is limited to:

Total average monthly payroll costs for the preceding 12 months (April 2019 to March 2020) multiplied by 2.5 or
$10,000,000 if you are a new church plant church or organization, use average payroll costs for January and February 2020 multiplied by 2.5.

No loan payments are due under this program for 6 months. No loan fees apply. No collateral or personal guarantees will be required.

Good Faith Certificate

Applicant organizations will need to provide a Good Faith Certification at Application and after coverage period – post July 2020.

Organization needs the loan to support ongoing operations during COVID19.
Support ongoing operations
Funds used to retain workers and maintain payroll or make mortgage, lease, and utility payments.
Have not and will not receive another loan under this program.
Provide lender documentation verifying information of funds used
Everything is true and accurate.
Submit tax documents and that they are the same submitted to IRS. Legal counsel should be involved here.
Lender will share information with the SBA and its agents and representatives.

Loan Forgiveness

The entire loan amount loan can be forgiven, if the borrower qualifies. In general, the loan is forgivable if the borrower employed the same number of people during the loan period as it did last year.

Full-Time Equivalent Employee (FTE) (as defined in section 45R(d)(2) of 11 the Internal Revenue Code of 1986)
The goal of this loan is for your 2020 FTEs to be equal to or greater than your 2019 FTEs. Essentially, the law provides that you must have equal to or more employees from February. 15, 2020, to June 30, 2020, as you did last year from February 15, 2019, to June 30, 2019.
If you will have fewer employees in 2020 than in 2019, then you need to complete a calculation:

Average FTEs per month in 2020 from February 15, 2020-June 30, 2020 / (divided by)

Average monthly FTEs from February 15, 2019-June 30, 2019 or Average monthly FTEs from January 1, 2020 to February 29, 2020.

Limitations on Forgiveness

Only so much of the loan as is used for the payroll costs, benefits, mortgage, rent, or interest on other debt obligations can be forgiven.
Not more than 25% of the forgiven amount may be for non-payroll costs.
Loan forgiveness will be reduced if the borrower decreases its full-time employee headcount.
Loan forgiveness will also be reduced if the borrower decreases salaries by more than 25% for any employee that made less than $100,000 in 2019.
Borrower has until June 30, 2020 to restore its full-time employment and salary levels for any changes between Feb. 15 to April 26, 2020

No collateral or personal guarantees will be required.

This note is intended only as an illustration of general legal principles and is not legal or tax advice. The reader is directed to discuss his or her specific circumstances with a qualified practitioner before taking any action.

Will Federal and State Governments Alter Insurance Contracts to Require Coverage for COVID-19 and Should Congress Fund Insurance Companies to Help Provide Coverage?

Posted on March 30, 2020July 14, 2021 by Liam Mennitt

Business interruption insurance, also known as business income insurance, is commercial property insurance designed to cover loss of income incurred by a business due to a slowdown or suspension of its operations at its premises, under certain circumstances. Business interruption insurance may include coverage for a suspension of operations due to a civil authority or order, pursuant to which access to the policyholder’s premises is prohibited by a governmental authority. Business interruption insurance is often paired with extra expense insurance, designed to provide coverage for additional costs in excess of normal operating expenses an organization incurs in order to continue operations following a covered loss. Contingent business interruption insurance is a related product and is designed to provide coverage for lost profits resulting from an interruption of business at the premises of a policy holder or supplier.

Business interruption coverage is generally triggered when the policyholder sustains physical loss or damage to insured property by a covered loss as defined in the policy. In the event of a claim for a business interruption related to COVID-19, insurance carriers and policyholders will dispute whether the physical loss requirement has been satisfied. In the aftermath of previous viral outbreaks early this century (e.g., SARS, rotavirus, etc.), the insurance industry responded by adding exclusions designed to preclude coverage for such losses. The insurance coverage arguments will be the subject of litigation over the coming years.

On March 10, 2020 members of the United States House of Representatives requested that four major insurance trade organizations cover business interruption claims arising from COVID-19. The letter was addressed to the CEOs of the following organizations:

– The American Property and Casualty Insurance Association;

– The National Association of Mutual Insurance Companies;

– The Independent Insurance Agents & Brokers of America; and

– The Council of Insurance Agents & Brokers.

Members of Congress stated that business interruption insurance is intended to protect businesses against income loss as a result of operational disruption, and covering losses resulting from COVID-19 would “help sustain America’s businesses through these turbulent times, keep their doors open, and retain employees on the payroll.”

In response, the CEOs stated, “Standard commercial insurance policies offer coverage and protection against a wide range of risks and threats that are vetted and approved by state regulators. Business interruption policies do not, and were not designed to, provide coverage against communicable diseases such as COVID-19.” While recognizing the impact of the pandemic, the CEOs argued: “The proposed retroactive application legislation would fundamentally change the agreed-upon transfer of prospective risk-of-loss exposure to coverage for a known and presently occurring loss, something the parties did not agree to, the insurer did not rate for, and the policyholder did not pay for.”

New Jersey has taken preliminary steps to directly alter the terms of insurance contracts issued to insureds in New Jersey. On March 16, 2020, New Jersey Bill A-3844 was introduced with the goal of assisting businesses impacted by COVID-19.

The principal provision of draft Bill A-3844 states:

“Notwithstanding the provisions of any other law, rule or regulation to the contrary, every policy of insurance insuring against loss or damage to property, which includes the loss of use and occupancy and business interruption in force in this State on the effective date of this act, shall be construed to include among the covered perils under that policy, coverage for business interruption due to global virus transmission or pandemic, as provided in the Public Health Emergency and State of Emergency declared by the Governor in Executive Order 103 of 2020 concerning the coronavirus disease 2019 pandemic.”

While no other state has taken any measure as extreme as the draft bill in New Jersey, it is possible other states will seek to influence whether insurers provide coverage for claims relating to COVID-19. On March 10, 2020, the New York Department of Financial Services mandated property casualty insurers provide to the department, “Certain information regarding the commercial property insurance it has written in New York and details on the business interruption coverage provided in the types of policies for which it has ongoing exposure.” Insurers must also provide the same information to policyholders. Several observers have noted this move could be a precursor to a draft bill similar to NJ A-3844 being introduced in New York.

With the anticipated passage (not finalized yet at the time of this article) of a $2 trillion economic relief package, it seems appropriate that Congress should assist insurers if they are going to ask insurance companies to pay for business interruption arising from COVID-19. By encouraging insurance companies to honor such claims, Congress seeks to support business and provide capital to the economy. Other industries such as the cruise industry and the aviation industry are receiving large bailouts as a result of COVID-19, under the theory that it’s “not their fault.” Perhaps given the extraordinary situation, the insurance industry can receive similar help in exchange for increasing the scope of coverage. In that way, the insurance industry would be required to be more reasonable when it considers coverage claims for COVID-19.

Pastore & Dailey Managing Partner Receives AV Preeminent Rating for 2020

Posted on March 19, 2020July 12, 2021 by Liam Mennitt

Pastore & Dailey LLC is proud to announce that Managing Partner, Joseph M. Pastore, III has been named by Martindale-Avvo to receive the AV Preeminent Rating for the year 2020. This rating is the highest possible rating in both legal ability & ethical standards for practicing attorneys. Mr. Pastore received this honor for his exemplary devotion to judicial standards and ethics practices as an attorney. Mr. Pastore has been a recipient of this honor for the past 10 consecutive years. In addition, Corporate Counsel & The American Lawyer magazines have named Mr. Pastore as a Top-Rated Litigator for the year 2020.

Interest When Enforcing a Money Judgement and the Discretionary Power of Connecticut Courts to Impose a Reasonable Rate of Post-Judgement Interest

Posted on September 20, 2019September 15, 2021 by Liam Mennitt

Prior to its repeal in 1983, General Statutes § 52-349 had provided generally for the collection of “legal interest in the amount of the judgment from the time it was rendered.” Presently, General Statutes § 37-3b provides for post-judgment interest in connection with actions “to recover damages for injury to the person, or to real or personal property, caused by negligence.” Additionally, General Statutes § 37-3a serves as the source for post-judgment interest on claims to which General Statutes § 37-3b does not apply (i.e. interest awards in certain civil action not involving negligence).[1]

Most credit agreements contain terms that allow for interest to accrue on unpaid balances. These interest rates are usually anywhere from single digits to the high-teens. Until recently many Connecticut courts would alter the contractual interest rate when entering judgment against a defaulting client. Courts were doing so based on Conn. Gen. Stat. § 37-3a which provides that post-judgment interest is discretionary and is capped at 10%. Many Connecticut courts read this to mean that 10% was the most interest they could order after judgment but that they could award interest at a lower rate or even no post-judgment interest as they saw fit. Therefore, the discretionary nature of an order for post-judgment interest has become a product of case law development and interpretation rather than statutory provision.

The Connecticut Supreme Court in Sikorsky Fin. Credit Union, Inc. v. Butts, clarified the circumstances and interest rate for creditors to receive post judgment interest. In Sikorsky, a lender sued its borrower to obtain a deficiency judgment after the loan collateral (automobile) was repossessed and liquidated leaving a balance due on the loan. The loan documents contained an interest rate of 9.14 percent and further stated that the lender “may charge interest at a rate not exceeding the highest lawful rate” until the deficiency is paid.[2]

The Sikorsky Court found that Connecticut law provides for two distinct types of interest by statute under §§ 37-1 and 37-3a. First, Connecticut General Statutes § 37-1 provides that the court, as part of a judgment enforcing a loan, must award post judgment interest at the rate of interest agreed upon by the parties, or eight percent if the parties did not specify the rate for post judgment interest. The court is only relieved of this obligation if the parties disclaimed post judgment interest. Second, Connecticut General Statutes § 37-3a provides the authority for the court to award discretionary interest up to ten percent as damages for the detention of money, when the duty to pay arises from an obligation other than a loan of money or when the parties to a loan have waived or disclaimed interest.[3]

In Hartford Steam Boiler Inspection and Insurance Co. v. Underwriters at Lloyds and Companies Collective, the Connecticut Supreme Court awarded post-judgment interest in a commercial dispute, holding that “post-judgment interest is intended to compensate the prevailing party for a delay in obtaining money that rightfully belongs to him.”[4] In DiLieto v. County Obstetrics and Gynecology Group, P.C., the Connecticut Supreme Court held that “in the context of § 37-3a, a wrongful detention of money, that is, a detention of money without the legal right to do so, is established merely by a favorable judgment on the underlying legal claim, so that the court has discretion to award interest on that judgment, without any additional showing of wrongfulness, upon a finding that such an award is fair and equitable.”[5]

In Cavolick v. Desimone, a Superior Court held that maximum statutory rate of 10% was appropriate for an award of post-judgment interest even though greater than the rate generated at the time by conservative investments because it was less than the interest charged on other sorts of debt such as credit cards and “an amount greater than that generated by conservative investments may well provide some incentive to pay a judgment.” The 10% interest rate expressed in General Statutes § 37-3a is, however, not a required rate but, rather, is the maximum rate of interest that a trial court, in its discretion, may award.[6] Finally, in Cadle Co. v. Steiner, a Superior Court held that an award of post-judgment interest is discretionary and denied an award of post-judgment interest where the plaintiff sought execution on property and repeatedly demanded more post-judgment interest than it was entitled to. The court also held that when a judgment is ordered paid in installments, with no provision for interest, post-judgment interest does not run prior to a default in the payments ordered.[7]

In conclusion, the determination of a reasonable port-judgment interest rate pursuant to General Statutes § 37-3a is not a mandatory rate that applies generally to all applications of post-judgment interest. Rather, the statute and case law application provide that the 10% interest rate provided in § 37-3a, is a cap on post-judgment interest for damages. Additionally, the order for application of post-judgment interest is in the discretion of the Court, and determined on a case by case basis that requires a factual analysis in order to determine a reasonable rate of interest to be applied in order to compensate the aggrieved party.

Disclaimer: this article is for educational purposes only and to give you a general understanding of the law, not to provide specific legal advice. No attorney-client relationship exists by reading this article. This article should not be used as a substitute for legal advice from a licensed professional attorney in your state.

____________________________________________________________________________________

[1] § 6.8.Interest, 12 Conn. Prac., Unfair Trade Practices § 6.8.

[2] Sikorsky Fin. Credit Union, Inc. v. Butts, 315 Conn. 433 (2015).

[3] Sikorsky Fin. Credit Union, Inc. v. Butts, 315 Conn. 433 (2015).

[4] Hartford Steam Boiler Inspection and Ins. Co. v. Underwriters At Lloyd’s and Companies Collective, 121 Conn. App. 31 (2010).

[5] DiLieto v. County Obstetrics and Gynecology Group, P.C., 310 Conn. 38 (2013).

[6] Cavolick v. Desimone, 39 Conn. L. Rptr. 781 (Conn. Super. Ct. 2005).

[7] Cadle Co. v. Steiner, 51 Conn. L. Rptr. 480 (Conn. Super. Ct. 2011).

Pastore & Dailey Wins Motion for Dismiss Against Texas Based Oil and Gas Company

Posted on September 14, 2019July 12, 2021 by Liam Mennitt

Pastore & Dailey represented a New York plaintiff in connection with a dispute over services provided in association with the acquisition and management of various oil and gas properties in Abilene, Texas. In anticipation of this suit, Defendants wrongfully instituted an anticipatory action in the Federal District Court for the Northern District of Texas.

Pastore & Dailey submitted a Motion to Dismiss the Texas action based on the premise that the action was anticipatory of the New York Action and was an act of inequitable forum shopping. The Court found that “compelling circumstances” existed that favored the dismissal of the Texas action. Pastore & Dailey will now continue to represent the Plaintiff in his home forum of New York.

The Importance of Value-Added Billing Based upon the Circumstances Presented

Posted on August 2, 2019July 14, 2021 by Liam Mennitt

As the cost of legal fees continues to rise, many clients are justifiably concerned about the economic implications of retaining an expensive law firm. According to the legal fee analysis organization NALFA, a not insignificant proportion of the country’s top attorneys have recently begun charging more than one thousand dollars an hour for their services.1 Adding to that the ever-increasing cost of junior associate billings,1 many businesses are facing a conundrum: the price of legal services often exceeds the cost involved with litigating or settling a matter. To fulfill their responsibilities to clients, law firms must move beyond costly price structures and embrace value-added billing – an approach that emphasizes the importance of improving a client’s bottom line by embracing flexible billing rates and alternative fee arrangements.

What value can a law firm legitimately claim to provide when its billings outstrip the cost of a settlement? Despite all the cachet that comes with the retention of a large national firm, common sense dictates that clients are getting a raw deal when law firms cannot add value in the course of their work. If clients do not see their bottom line improve after retaining a certain firm, that firm simply does not deserve their business.

Value-added billing does not just benefits clients, however. In the long run, it may well benefit law firms to make an honest accounting of the cost of legal services – especially because clients may cut and run if they find themselves overpaying for legal fees. Value-added billing may also obviate the newfound preference of many businesses for non-traditional legal services,2 which often prove to be more flexible and economical than the costly billing practices employed by most firms.

To transition from unfair, costly billing practices to value-added billing, firms can make several changes to their fee structures. First, they can adjust their average billing rates in accordance with the estimated cost of litigating or settling a certain matter. If the attorney tasked with handling a certain matter realizes that their usual legal fees will surpass the expected cost of litigation or settlement, he or she should adjust them accordingly. In addition, firms can add value by embracing alternative fee structures. If an attorney determines that taking a matter on a contingency basis is likely to improve their client’s bottom line, he or she should not hesitate to do so.

Obviously, this sort of common-sense calculation can be thrown into confusion by uncertainty as to the final cost of litigation or settlement. The success or failure of legal procedures like litigation or arbitration (not to mention their length) cannot easily be predicted, especially considering that the introduction of new evidence or an unexpected level of intransigence on the part of the opposing party sometimes scramble the contours of a certain matter. But legal expertise and experience can help ameliorate this problem. Presumably, senior partners will have handled similar cases in the past and can extrapolate from the cost of litigating or settling those cases to estimate the potential impact on a client’s bottom line. (This assumes, of course, that firms are keeping close track of their total billings for each matter they handle).

Law is a business like any other, even if many attorneys are loath to admit it. Their primary task should be to add value, not to charge unfair fees. Anything else risks hurting the firms they were hired to represent.

Connecticut’s New Insurance Data Security Law: The Costs and Benefits of Compliance

Posted on August 2, 2019July 14, 2021 by Liam Mennitt

An important section of the recent budget bill adopted by the state of Connecticut demonstrates that regulatory fever has become contagious, at least as far as data security is concerned. Section 230 of the recently adopted bill sets forth a comprehensive set of cybersecurity regulations for the state’s insurers, requiring them to comport with guidelines modeled after those developed by New York State’s Department of Financial Services (DFS).1 Connecticut insurers will now have to develop a “comprehensive written information security program,” evaluate the efficacy of that program “not less than annually,” and periodically aver to the state’s Insurance Commissioner that the law’s provisions are being followed.2 In addition, the law requires that insurers establish strict cybersecurity regulations for third parties and develop “incident response plan[s]” to recover in the wake of a cyberattack.3

The data security law also establishes a comprehensive enforcement regime to investigate and punish noncompliance. Under the provisions of Section 230, the state’s Insurance Commissioner has a broad investigative power to verify compliance with the new regulations.4 Furthermore, the Commissioner retains the power to punish recalcitrant insurers by revoking business licenses and issuing fines of up to fifty thousand dollars (provided that the offending firms have not shown themselves to be exempt in an evidentiary hearing).5 The law does contain some exceptions, however. For a one-year period between 2020 and 2021, insurers with fewer than twenty employees will be exempt from the law’s requirements, and from 2021 on insurers with fewer than ten employees will be exempt.6 Moreover, those firms already compliant with the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (a federal statute)7 are exempted from the Connecticut law if they can certify their compliance to state regulators.8 Nevertheless, compliance figures to be costly for Connecticut insurers.

As discussed on this blog previously, however, the cost of a cyberattack can often far outstrip the cost of compliance with cybersecurity regulations. This goes double for insurance companies, especially because such firms often possess “high-value consumer information, such as sensitive personal information, health information and payment card information.”9 Thanks to the creation of cybersecurity insurance, insurers are often left holding the bill in the wake of a devastating cyberattack elsewhere. Because they have presumably processed numerous such claims, they should know better than anyone else the true cost of a data breach. The aid of knowledgeable legal professionals and a healthy dose of common sense are all that stand in the way of cost-saving compliance with Connecticut’s new cybersecurity regulations.

Data-Centric Security Strategies and Regulatory Compliance

Posted on August 1, 2019July 14, 2021 by Liam Mennitt

In the wake of a recent spate of cybersecurity breaches, the practice of data-centric security has received renewed attention from business leaders concerned about the integrity of critical data. As defined by a PKWare white paper, data-centric security focuses on protecting data itself, rather than the systems that contain it.1 Central to the concept of data-centric security is the notion that the systems established to store and guard data sometimes crumble in the face of cyberattacks.1 Given that all manner of data storage systems have shown themselves to be vulnerable, it is hard to argue with this foundational principle. Rather than offering prescriptions for the improvement of systems, then, data-centric security places safeguards around the data itself – safeguards which are automatically applied and regularly monitored to ensure data security.1

Data-centric security strategies have several key advantages over the “network-centric” models currently employed by many firms.2 As discussed, data-centric strategies account for the proclivity of security networks to succumb to cyberattacks by securing the data itself. In addition, because security measures are built into data, “security travels with the data while it’s at rest, in use, and in transit,” a characteristic of data-centric strategies that facilitates secure data sharing and allows firms to move data from system to system without having to account for inevitable variations in security infrastructure.3 Moreover, data-centric security allows for easy access to data (a cornerstone of productivity in any firm) without compromising data security. In fact, Format-Preserving Encryption (FPE) – the specific type of encryption employed by many data-centric strategies4 – “maintains data usability in its protected form,” striking a balance between security and accessibility.5 Clearly, data-centric strategies provide stronger, more all-encompassing, and eminently manageable modes of data protection.

But perhaps the most important aspect of data-centric security is its essential role in any security regime compliant with New York State cybersecurity regulations. In fact, as the data security company Vera has noted, “the new rules are focused not just on protecting information systems but on securing, auditing and the disposition of data itself.”6 New York’s determination to advance data-centric security is evident in certain provisions of the recent cybersecurity regulation, the most important of which mandate that companies “restrict access privileges not only to systems but to the data itself.”6 Moreover, New York State’s cybersecurity regulations reflect the priorities of data-centric security because they require firms to “implement an audit trail system to reconstruct transactions and log access privileges,” a system which allows the security of individual pieces of data to be monitored automatically.6 New York regulators have already recognized the benefits of data-centric security strategies. Now, with the assistance of legal experts well-versed in cybersecurity compliance, companies concerned about their data security can too.

____________________________________________________________________________________

https://pkware.cachefly.net/webdocs/pkware_pdfs/us_pdfs/white_papers/WP_Data_Centric_Security_Blueprint.pdf
https://www.symantec.com/blogs/expert-perspectives/data-centric-security-changing-landscape
https://www.comforte.com/fileadmin/Collateral/comforte_FS_tokenization_vs_FPE_WEB.pdf?hsCtaTracking=8a3a11b3-5ba3-4e1a-a41f-78bb92d22458%7C358952c5-4dff-4793-bbeb-8835361c3b14
https://www.1stmarkets.de/en/blog/blog-article-3
https://www.techpowerusa.com/wp-content/uploads/2018/03/MicroFocus.Techpower-Big-Data-eBook-2018-9434.pdf
https://www.vera.com/wp-content/uploads/2018/02/Veras-Guide-to-the-NY-DFS-Regulations.pdf

Cybersecurity Compliance Could Have Saved Capital One Millions

Posted on July 31, 2019July 14, 2021 by Liam Mennitt

A recent cybersecurity breach involving one of the country’s largest financial services firms illustrates both the necessity of strong cybersecurity regulations and the imperative for credit card holders to jealousy safeguard their personal information. In a criminal complaint filed July 29th, 2019 at the U.S. District Court for the Western District of Washington, the federal government alleged that Paige A. Thompson, a computer engineer, had taken advantage of a gap in Capital One’s cloud security to obtain the personal financial records of millions of the company’s customers in the U.S. and abroad.1 Thompson, who used the online alias “erratic,” allegedly exploited a defect in Capital One’s firewall to access confidential financial information stored on the servers of the Cloud Computing Company, a Capital One service provider.1 Despite Capital One’s claim that “no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised,” the episode is a reminder that without robust cybersecurity measures and a broad-based commitment to personal data security, information stored with American financial institutions remains vulnerable to cyberattack.2 In fact, had Thompson been more careful to remain anonymous,3 the data breach could well have become catastrophic.

First, the data breach demonstrates the value of robust cybersecurity regulations. For example, if Capital One’s cybersecurity measures had met the stringent standards of the regulations issued by New York State’s Department of Financial Services that is now being enforced by the state’s new Cybersecurity Division, this problem may have been avoided. The DFS has committed itself to ensuring that “encryption and other robust security control measures” characterize the cybersecurity policies of the state’s financial services firms.5 Had Capital One encrypted or tokenized6 all of the data subject to the recent breach, it is possible that the effects of the cyberattack may have been less widespread. In fact, the criminal complaint against Thompson notes that “although some of the information” targeted by the cyberattack “has been tokenized or encrypted, other information[…]regarding their credit history has not been tokenized,” allowing “tens of millions” of credit card applications to be compromised.1 Of course, the cybersecurity regulations adopted by New York State are burdensome. But the alternative is even worse – especially considering that Capital One will “incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support,” a price tag that doubtless outstrips the costs of regulatory compliance.3

Pastore & Dailey is a leading firm in the drafting and implementation of procedures necessary to comply with federal and state securities and banking cybersecurity regulations and laws, which in this case could have saved Capital One millions if properly followed.

Second, the cyberattack bears out the importance of diligence in safeguarding financial information. According to Forbes, individuals worried about the security of their financial information can take a host of precautions: “[updating] passwords,” avoiding the use of e-mail accounts to share confidential information, “[establishing] two-factor authentication,” and so on.7 Cyberattacks like the one that recently struck Capital One have become a fact of life for many Americans who bank online, but they need not be costly. Common-sense precautions and security diligence can go a long way towards ensuring the integrity of your financial records.